From e4608715e6e1dd2adc91982fd151d5ba4f761d69 Mon Sep 17 00:00:00 2001 From: Carlos O'Donell Date: Fri, 19 Jul 2013 02:42:03 -0400 Subject: CVE-2013-2207, BZ #15755: Disable pt_chown. The helper binary pt_chown tricked into granting access to another user's pseudo-terminal. Pre-conditions for the attack: * Attacker with local user account * Kernel with FUSE support * "user_allow_other" in /etc/fuse.conf * Victim with allocated slave in /dev/pts Using the setuid installed pt_chown and a weak check on whether a file descriptor is a tty, an attacker could fake a pty check using FUSE and trick pt_chown to grant ownership of a pty descriptor that the current user does not own. It cannot access /dev/pts/ptmx however. In most modern distributions pt_chown is not needed because devpts is enabled by default. The fix for this CVE is to disable building and using pt_chown by default. We still provide a configure option to enable hte use of pt_chown but distributions do so at their own risk. --- INSTALL | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'INSTALL') diff --git a/INSTALL b/INSTALL index 721a7fc..2c61704 100644 --- a/INSTALL +++ b/INSTALL @@ -136,6 +136,18 @@ will be used, and CFLAGS sets optimization options for the compiler. `--enable-lock-elision=yes' Enable lock elision for pthread mutexes by default. +`--enable-pt_chown' + The file `pt_chown' is a helper binary for `grantpt' (*note + Pseudo-Terminals: Allocation.) that is installed setuid root to + fix up pseudo-terminal ownership. It is not built by default + because systems using the Linux kernel are commonly built with the + `devpts' filesystem enabled and mounted at `/dev/pts', which + manages pseudo-terminal ownership automatically. By using + `--enable-pt_chown', you may build `pt_chown' and install it + setuid and owned by `root'. The use of `pt_chown' introduces + additional security risks to the system and you should enable it + only if you understand and accept those risks. + `--build=BUILD-SYSTEM' `--host=HOST-SYSTEM' These options are for cross-compiling. If you specify both -- cgit v1.1